Cyber Security: How we protect your data
Earlier this year, we were approached by a company called Practice Protect which is a platform that provides accountants and bookkeepers with 24/7 cloud data security. I had been concerned/worried about data security (mainly client data) for some time and when Practice Protect called me, I immediately became interested. Here was a ready-made program on offer that gives accounting professionals the opportunity to protect their clients’ data (and their own) via an easy-to-use app. Needless-to-say, I did end up adopting this app and we now use it in our practice. After some training and set up procedures, I am proud to say that we are a Practice Protect Cloud Best Practice. But why did we do this and how does it work exactly?
Privacy Amendment (Notifiable Data Breaches) Bill 2016
So why have we adopted Practice Protect into our practice? The simple answer is that being 100% cloud-based, our clients’ data is at risk every day of being stolen or compromised in some way despite our best efforts to shield it. Further to this, our employees work remotely and so I felt that I didn’t have proper control over their data security (or lack thereof) – how can you when they are living in different states?! With cyber crime on the rise and criminals getting cleverer in terms of finding ways to steal data, I felt that using some sort of protection app to assist our practice was a no-brainer. The security of my clients’ data has been worrying me for some time so to have this added protection available to us 24/7 is such a relief. Let’s face it, when you’re online, you’re at risk – it’s a very difficult thing to control at the best of times!
So that was the main reason for using Practice Protect – because I have a duty of care to keep our clients’ data protected at all times, but there is another reason too – the recently announced Mandatory Breach Reporting Legislation. This legislation came into effect on 22nd February 2018 and affects many businesses, not just accounting professionals like us. Basically, under the new law, if an organisation determines that their data has been breached/lost/stolen, it is required to report the incident to the Privacy Commissioner AND to all affected clients. While the law mainly applies to organisations with an annual turnover of more than $3 Million, the law does apply to some businesses with a lower turnover, particularly those who handle credit reporting information, tax file numbers and health records. As our practice does handle and store the tax file number data for several clients, this law applies directly to our practice. While I realise that a data breach can happen at any time and for a number of reasons, I do now feel better about our situation given our association with Practice Protect. Practice Protect has provided us with the right tools should a data breach occur and a plan to follow etc. I hope we never have to use it but if we do, I know we will have their support and assistance.
This video explains in plain English how the data breach laws can affect a firm like ours:
How does Practice Protect work?
Essentially, this app is password protection software but does come with a lot of added extras! We used to use LastPass for our password protection but as mentioned above, I could never be sure that my staff were using LastPass for all passwords or even if they were using it at all. I had no control over where they stored passwords and if they allowed their browsers to save stored passwords. As I said, all of this worried me a great deal – I don’t do well when I can’t control my environment! Practice Protect is an app that houses all of your practice apps and is only accessible via one login per user. The app does not store any passwords and they are not visible to users either so if you forget a password to an app, you have to reset it (by “you” I mean an administrator, usually the practice owner). So users only need one login and they don’t need to remember or store any passwords for internal apps at all. That is the first layer of protection.
The second layer of protection is found in control of users and their daily online activity. The administrator can track a user’s activity in real time and see which apps were accessed and by whom – a necessity should a breach occur and reporting required! It is also possible to grant or revoke staff access to particular apps allowing practice owners full control over what their staff see or use. Also, it is possible within the app to restrict staff access geographically (i.e. only grant access from inside Australia or from certain countries). The protection extends to all devices used by all users including smart phones. Via initial set up, user-initiated cloud password resets are diverted to the administrator/practice owner meaning staff/users cannot attempt to change any passwords. Practice Protect also allows for two-factor authentication as an extra security layer.
Lastly, Practice Protect provides users with thorough training both in regards to the use of the app and cyber security for your practice. Practice owners are provided with a full set of policy document templates that can be adapted for their own use which I have found particularly beneficial. Also provided is a data breach response plan and access to an emergency breach response hotline. We have done the training and as such, “
Using Practice Protect has given me peace of mind – I still worry about cyber security but not as much. I feel like I am doing all that I can to protect our clients and their data. Previously I felt like I was not honouring my duty of care to clients re cyber security, particularly regarding the use of remote staff and not having any control over their digital activity. If the worst happens and I do end up having a data breach, I know that the practice is more prepared now and with a plan in place, will be better able to handle the situation.